ACLs
Slide #1
Topics
•
•
•
•
•
Access Lists
Wildcard Masks
Standard ACLs
Extended ACLs
Named ACLs
Slide #2
Access Control Lists
ACLs cause routers to filter packets
– Packets specified by IP address, protocol, etc.
– Used to protect network from unauthorized
access and attacks.
Slide #3
What You Can Do
Filter packets based on:






IP address packet is coming from (Source IP)
IP address packet is going to (Destination IP)
Network protocol (ICMP, TCP, BGP, etc.)
TCP/UDP port packet is coming from
TCP/UDP port packet is going to
TCP flags (SYN,ACK,RST,etc.) set in packet
Slide #4
What You Can Do
Examples:
 Prevent any outside IP address from connecting
to the telnet port on any of your networks.
 Allow certain IP addresses to connect to the ssh
port on a single server on your network.
 Allow anyone to connect via HTTP or HTTPS to
your web server.
Slide #5
What You Can’t Do
Basic packet filtering isn’t powerful enough to:
 Specify which users can login via telnet from the
outside.
 Limit which files can be transferred out of your
network.
 Prevent people from tunneling IM protocols over
outbound HTTP connections.
Slide #6
Where Can ACLs Be Used
On each interface
inbound: before routing decisions
outbound: after routing decisions
Slide #7
Wildcard Masks
Wildcard masks
– Define portion of IP address to be ignored.
– 0s for matching bits, 1s for wildcard bits
– Logical inverse of a subnet mask
Wildcard Mask
Binary
Description
0.0.0.0
00000000.00000000.00000000.00000000
Entire IP must match
0.0.0.255
00000000.00000000.00000000.11111111
1st 24 bits must match
0.0.15.255
00000000.00000000.00001111.11111111
1st 20 bits must match
0.0.3.255
00000000.00000000.00000011.11111111
1st 22 bits must match
Slide #8
Computing Wildcard Masks
Take network address + netmask to block
172.16.8.0 255.255.252.0
Subtract subnet mask from 255.255.255.255
-
255.255.255.255
255.255.252.0
0. 0. 3.255
Slide #9
Types of Cisco ACLs
Standard ACLs
Filter based on source IP address.
1-99, 1300-1999
Extended ACLs
Filter based on source + destination IP address.
Filter based on protocol and port information.
100-199, 2000-2699
Slide #10
Standard ACLs
access-list num action source [wildcard_mask]
access-list 1 remark Stop traffic from Bob.
access-list 1 deny 172.16.3.10 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255
interface fa0/1
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out
fa0/1
172.16.1.0/24
fa0/0
Bob
172.16.3.10
172.16.3.0/24
Slide #11
Standard ACLs
access-list num action source [wildcard_mask]
access-list 1 remark Stop traffic from Bob.
access-list 1 deny host 172.16.3.10
access-list 1 permit any
interface fa0/1
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out
fa0/1
172.16.1.0/24
fa0/0
Bob
172.16.3.10
172.16.3.0/24
Slide #12
Configuration Example
•
•
Deny Sam access to Bugs or Daffy
Deny hosts on Seville LAN access to
hosts on Yosemite LAN
Yosemite
interface serial 0
ip access-group 3 out
!
access-list 3 deny host 10.1.2.1
access-list 3 permit any
Seville
interface serial 1
ip access-group 4 out
!
access-list 4 deny 10.1.3.0 0.0.0.255
access-list 4 permit any
Slide #13
Configuration Example
Yosemite
interface serial 0
ip access-group 3 out
!
interface serial 1
ip access-group 3 out
!
interface ethernet 0
ip access-group 4 out
!
access-list 3 remark meets criteria 1
access-list 3 deny host 10.1.2.1
access-list 3 permit any
!
access-list 4 remark meets criteria 2
access-list 4 deny 10.1.3.0 0.0.0.255
access-list 4 permit any
Slide #14
Configuration Example
Albuquerque
interface ethernet 0
ip access-group 3 out
access-list 3 remark meets criteria 1
access-list 3 deny host 10.1.2.1
access-list 3 permit any
Yosemite
interface ethernet 0
ip access-group 4 out
!
access-list 4 remark meets criteria 2
access-list 4 deny 10.1.3.0 0.0.0.255
access-list 4 permit any
Slide #15
Extended ACLs
Command
Configuration Mode
and Description
access-list access-list-number {deny | permit}
protocol source source-wildcard destination
destination-wildcard [log | log-input]
Global command for extended
numbered access lists. Use a number
between 100 and 199 or 2000 and
2699, inclusive.
access-list access-list-number {deny | permit}
{tcp | udp} source source-wildcard [operator
[port]] destination destination-wildcard [operator
[port]] [established] [log]
A version of the access-list command
with TCP-specific parameters.
Slide #16
Extended ACLs
access-list 101 remark Stop A from telneting to B.
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
interface fa0/0
ip access-group 101 in
fa0/0
A
fa0/1
B
Slide #17
Specifying Ports
lt n
All ports less than n
gt n
All ports greater than n
eq n
Port n
neq n
All ports except for n
range n m
All ports from n through m, inclusive.
Slide #18
established keyword
Used to matched established TCP connections
– Matches packets with either ACK or RST set.
– Only 1st TCP packet does not have these flags.
– Used to allow response packets to outgoing connections.
access-list
access-list
access-list
access-list
110
110
111
111
permit tcp any any established
deny ip any any
permit tcp any any eq telnet
deny ip any any
interface fa0/0
access-group 110 in
access-group 111 out
Slide #19
Example: outbound telnet
Client on internal net telnets to external server.
– Must allow outgoing packets to send commands.
– Must allow incoming packets to receive responses.
Slide #20
Outgoing Packets







Source IP of packets is client’s IP address.
Dest IP of packets is server’s IP address.
Protocol type is TCP.
TCP destination port is 23.
TCP source port is a random port X >1023.
1st outgoing packet will establish connect with SYN flag set.
Remaining outgoing packets will have ACK flag set.
Slide #21
Example: outbound telnet
access-list 110 permit tcp any gt 1023 any eq telnet
access-list 110 deny ip any any
access-list 111 permit tcp any eq telnet any gt 1023 established
access-list 111 deny ip any any
interface fa0/1
access-group 110 out
access-group 111 in
Slide #22
Preventing IP Spoofing
Must occur on Internet gateway router.
Incoming packets from your IP range are spoofed.
Or there’s an unexpected egress to your network.
! ACL to block IP address spoofing
access-list 111 deny ip 172.17.7.0 0.0.0.255 any
access-list 111 permit ip any any
! Internet interface; to block spoofing
interface serial0
ip access-group 111 in
Slide #23
Editing Access Lists
Adding a new line
access-list 1 deny host 10.10.10.1
Added to end of ACL (before implicit deny)
Any other modification
1. Create access list with new number
2. Change interface to use new ACL
3. Delete old ACL (no access list 1)
4. Create copy of new ACL with old number
5. Change interface to use old ACL #
6. Delete new ACL #
Slide #24
ACL Processing
Access lists processed sequentially
1.
2.
3.
4.
If rule matches, permit or deny action is taken.
If not, processing goes on to next rule.
Last entry typically permits or denies any.
Router adds a deny all to the end of all ACLs.
For best perf, place most used entries at top.
Slide #25
Placement of ACLs
• Place standard ACLs near the destination of
the packets.
– Prevents unwanted discarding
• Place extended ACLs as close as possible to
the source of the packets.
– Improves network performance
Slide #26
Named ACLs
Advantages
– Use names to identify purpose of ACLs.
– Can insert, delete, and modify entries in ACL.
Router(config)#ip access-list extended barney
Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any
Router(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
! The next statement is purposefully wrong so that the process of changing
! the list can be seen.
Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2
Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2
Router(config-ext-nacl)#permit ip any any
Slide #27
Editing Named ACLs
Router(config)#ip access-list extended barney
Router(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Router(config-ext-nacl)#^Z
Router#show access-list
Extended IP access list barney
10 permit tcp host 10.1.1.2 eq www any
20 deny
udp host 10.1.1.1 10.1.2.0 0.0.0.255
30 deny
ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
50 deny
ip host 10.1.1.130 host 10.1.3.2
60 deny
ip host 10.1.1.28 host 10.1.3.2
70 permit ip any any
Note that no 40 would have performed the same deletion.
Slide #28
Applying ACLs to Lines
Use access-class instead of access-group
Controls telnet and ssh access
line vty 0 4
login
password cisco
access-class 10 in
Slide #29